Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
3
Helpful
9
Replies

Single Click for visitor approval is not working.

rafaelsalvinos
Level 1
Level 1

‎10-06-2023 07:43 PM

Hey guys,

I configured the Guest Portal, and currently my authentication flow works as follows:

1- Visitor connects to the Guest SSID and is redirected to the self-registration portal.

2- Visitor registers on the self-registration portal, entering the sponsor's email for testing.

3- The Sponsor receives an email with a link to Approve / Deny access.

4- The Sponsor clicks Approve, is redirected to the Sponsor Portal, enters the credentials to authenticate on the Portal and then the visitor's access is granted and the visitor receives the access credentials via registered email and also via SMS .

To simplify the process, I am trying to enable authentication with a single click, so that the Sponsor, when clicking on Approve, does not have to enter the credentials to access the Portal, but can do the approval directly without just clicking on the Approve link.

I performed the following configurations to enable single-click authentication:

Sponsor Portal:
- Within Portal Settings, in the FQDN field I entered the appropriate information, according to DNS.

single-click-01.PNG

 

Self-registered-Guest-Portal

- I activated the option "Require guests to be approved"
- I selected the option "person being visited"

single-click-02.PNG

 After these settings, I completed the registration process as a visitor, and entered the approving Sponsor's email.

The Sponsor received an email with a link for approval.

When clicking on the link, the Sponsor is redirected to the Sponsor Portal, however, the "Single click" functionality does not work, and to approve, you still have to enter the credentials manually.

Observations:
The Sponsor email belongs to a user belonging to the approver group.

The URL of the Portal and the link match, therefore, the correct Portal is being called when clicking on the Approve link.

Sponsor Portal Link
https://sponsorportal.employer.com:8443/sponsorportal/PortalSetup.action?portal=a6f50970-2230-11e6-99ab-005056bf55e0


Approve link received in email:

https://sponsorportal.employer.com:8443/sponsorportal/PortalSetup.action?portal=a6f50970-2230-11e6-99ab-005056bf55e0&oneClickToken=Wq8iFA3Z398n2Zwjv345w==&oneClickAction=Approve

See that the ID of the Sponsor Portal coincides in both links, therefore the call is correct, in addition the Token is being inserted in the URL of the link.

Does anyone have any suggestions on what else I can check to make the Single Click functionality work?

0 Helpful
9 Replies 9

rafaelsalvinos
Level 1
Level 1

‎10-06-2023 07:52 PM

Although the Single Click functionality is not working, the Sponsor Portal shows that the Single Click functionality is configured.

single-click-03.PNG

 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎10-07-2023 12:16 PM

@rafaelsalvinos ISE Single Click Sponsor Approval FAQ says,

  • Sponsors logged-in using Single-Sign-On (SSO; SAML or Kerberos-based) or internal users are not supported.
  • Flow has been tested against LDAP running on AD, it should work with other LDAP servers.

If you are using LDAP to auth sponsor users, please engage Cisco TAC to troubleshoot.

 

Arne Bier
VIP
VIP

‎10-09-2023 02:37 PM

I recently built a single-click guest approval using ISE 3.2 patch 3 and it works great. As @hslai mentioned above, there are some limitations and caveats. In my case, ISE was integrated with AD. ISE will search for the sponsor's email in AD, and if that user is in the Sponsor Group, then the single-click will work. I had some weird issues with some AD user accounts, because the email address was not set for that AD UPN, or in another bizarre case, the username existed in two different AD domains, and the email address was the same. In that case ISE got confused and rejected the user. The fix was to change the email address of one of the AD accounts to something different (to make the search match only the user that I was interested in).  Therefore, AD is your friend. But look deep into the user attributes also, in case you missed something.

0 Helpful

a_simple_guy
Level 1
Level 1
In response to Arne Bier

‎03-14-2024 03:05 AM - edited ‎03-14-2024 03:07 AM

Hi Arne,

is there anyone guide how to configure it on 3.2 please? Unfortunately did not find it yet.

0 Helpful

Arne Bier
VIP
VIP
In response to a_simple_guy

‎03-15-2024 01:59 PM

@a_simple_guy - configure what?

0 Helpful

a_simple_guy
Level 1
Level 1
In response to Arne Bier

‎03-18-2024 02:03 AM

thanks for reply Arne, and sorry - should have been more specific. I'm looking for a guide to configure single click sponsor approval in an email message on ISE 3.2. I also have another question - what if I would want all of our employees to have the possibility to grant this right but our AD structured in a way that we have users in multiple groups but also we use more than one AD that has trust and I have LDAP connectors via different users to all of our AD structure. Some platforms can use this email suffix but not sure if, and how, this could be possible on ISE.

0 Helpful

rafaelsalvinos
Level 1
Level 1

‎10-17-2023 02:37 PM

Olá
@Arne Bier 
@hslai 

I checked the shared link of the procedure and found that the email address was not registered in the AD attribute of the Sponsor user I was using. Once this correction was made, the Single-Click function started to work.

The problem now is that the entire authentication process is working normally, the visitor receives the access credential.
The visitor enters username and password on the guest portal, receives the successful authentication message, but is unable to navigate. The message ERR_CONNECTION CLOSED is issued.

It's not a Firewall or proxy problem, as I did a test, registering the visitor through the Sponsor portal, that is, without self-registration on the GUEST Portal. When I do it this way, the visitor receives the credential in the email and navigates normally.

The problem is that through visitor self-registration, he authenticates but does not navigate. I have already validated redirect, authorization, ACL policies and did not find any errors. Do you have any idea what could cause this problem?

I checked live logs in ISE and no errors were issued

auto-registro-guest.PNG

0 Helpful

Arne Bier
VIP
VIP

‎10-17-2023 06:12 PM

What is the final stage of the portal process? Do you redirect the guest to the ISE success page, or to a fixed URL or to the originating URL? 

Does your post-redirection ACL contain the PSN IP addresses too?  I recall that I had to add in the PSN IP TCP/8443 in the WLC ACLs for the "Allow Internet" ACL applied to the guest. Only then did the final success page come up. But I don't know why self-registration flow should be different to the manual portal login method. 

 

Arne Bier
VIP
VIP

‎03-20-2024 05:39 PM

The method published a while ago here, still works in ISE 3.2 - the GUI might have changed since ISE 2.x but the concepts still apply.

As for the other question, you'd have to try it out by adding all the various AD Groups to the ISE Sponsor Group definition - users that match any of those groups will be allowed to execute the one-click.

 

ArneBier_0-1710981554904.png

 

Customers Also Viewed These Support Documents